Racco42

2016-12-12 Locky "Software License"

Dec 12th, 2016
2,117
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.03 KB | None | 0 0
  1. 2016-12-12 #locky email phishing campaign "Software License"
  2.  
  3. Sample email:
  4. ----------------------------------------------------------------------------------------------------------------------------
  5. From: "Zachariah Finch" <Finch.Zachariah@hundkurserforalla.se>
  6. To: [REDACTED]
  7. Subject: Software License
  8. Date: Mon, 12 Dec 2016 16:50:51 +0530
  9.  
  10. Hello [REDACTED], it is Zachariah.
  11. Sending you the scan of the software license agreement (Order #5434052).
  12. It is in the attachment. Please look into it ASAP.
  13.  
  14. ----
  15. Best Regards,
  16. Zachariah Finch
  17.  
  18. Attachment: softlic_5434052.zip -> ~Z9OK0OB3TN495M0OM51Q143N.wsf
  19. ----------------------------------------------------------------------------------------------------------------------------
  20. - sender varies between emails
  21. - subject is "Software License"
  22. - attached file "softlic_<7 digits>.zip" contains file "~<15+ uppercase chars and digits>.wsf", a JScript downloader
  23.  
  24. Download sites:
  25. http://bestbuylocal.com/ebboelbvs
  26. http://bestbuylocal.com/g2jvhsj9
  27. http://bestbuylocal.com/jfrtat
  28. http://bestbuylocal.com/vbaa8ys
  29. http://bestbuylocal.com/ycohx
  30. http://bestbuylocal.com/ykbbwq
  31. http://goodfoodprod.xyz/1exhfeofq9
  32. http://goodfoodprod.xyz/avntp
  33. http://goodfoodprod.xyz/cq8bqngvv
  34. http://goodfoodprod.xyz/ixtd7wctq
  35. http://goodfoodprod.xyz/oxw8e
  36. http://goodfoodprod.xyz/yxurej67wf
  37. http://qijiaosoft.com/xb4bwcomo
  38. http://rent-guarantee-insurance.co.uk/kuyzc
  39. http://rnaweb.nl/lib46
  40. http://sinanagirman.com/glouswg3g
  41. http://skpc.org.au/skhaxqghvx
  42. http://slipko.ru/rrbjjgb
  43. http://sobretesis.com/nunltpk
  44. http://softwarecomparel.org/a8ytyay8
  45. http://softwarecomparel.org/bc1pmv
  46. http://softwarecomparel.org/gfigo3ezn3
  47. http://softwarecomparel.org/lcv3ysact
  48. http://softwarecomparel.org/miaoaty9n
  49. http://softwarecomparel.org/xv9ecbtgj
  50. http://sorrentovalleypainrelief.com/ky9rk
  51. http://sovereignkitchens.com.au/gzttjwu9xp
  52. http://speciaaldesign.nl/xuazakski
  53. http://speckftp.de/ev1hcdxt
  54. http://sportsarena.gr/xjrue
  55. http://staygray.com/kxwcgnu
  56. http://staygray.com/mivftkxnmp
  57. http://stephaniemiddendorp.nl/h05ld2sut
  58. http://stjohns2012.ca/vn1wvzjk
  59. http://studioangelucci.eu/kmdkffw
  60. http://syedtradingco.com/yq6pp5kfu
  61. http://syncfish.com/qdzzef
  62. http://systemrma.pl/lumigwma
  63. http://t38faxvoip.com/yz3w7mn
  64. http://tbhomeinspection.com/mwo7gb
  65. http://tdtx.cn/zvzenep
  66. http://techpow.net/xme9kj
  67. http://teknoportbilisim.com/mkqamw6n
  68. http://tengalo.com/fwzysh
  69. http://the-agathon.com/gvcid8b
  70. http://thecodega.com/xegesuly
  71. http://thenumastore.com/k8f5irc
  72. http://theory.issp.ac.cn/xcemhkbr
  73. http://thxlove.com/odulqznn7
  74. http://tikrasturtas.lt/f8cfwlon
  75. http://tinybearshop.com/zlogeol
  76. http://tivicast.org/khlmwxrb
  77. http://tobybender.com/t4z8xrgdxz
  78. http://toyallstar.com/kohknfsf
  79. http://trade-unite.ru/k2qplhwug
  80. http://translate-all.eu/tdc7xep8yy
  81. http://trehoada.org/yuinghwmsz
  82. http://trendsandtrades.nl/wigm99l
  83. http://trilab.sk/epimbssz
  84. http://usedtextilemachinerylive.com/f5ee9qaadu
  85. http://v4c.tv/6arm9pnzr1
  86. http://valtho.com/6phqkll
  87. http://vanks.cl/2t3huwd
  88. http://villa64.dk/19tew8i
  89. http://vipseal.de/mvhhdq
  90. http://vodatelsys.com.cn/58lupnimb
  91. http://waner888.com/4go17e
  92. http://watchesheaven.com/altxyjw
  93. http://wflife.net/87o3ozdd
  94. http://wordpad.org/7ks1j
  95. http://wphone3c.com/6ap7em
  96. http://wreckingcrewnow.com/bfnfwyt87y
  97. http://wywfanp.com/4vasxe0mx
  98. http://xangelle.com/8wlji
  99. http://yes2malaysia.com/aekwxxd0e
  100.  
  101. UPDATED:
  102. http://smartfoodbuys.com/g2dznw
  103. http://thcr.com/f3g2xlxcvb
  104. http://zamiri.com/bsb6ql
  105.  
  106. Malware
  107. - encoded on download:
  108. 6c240457360a184035d9c61157762874bd750b9dd17aac0c1d5140a793da1c1f http___bestbuylocal.com_ebboelbvs
  109. 82f8af07906ca58c34b3bc50ade9de8aff43bd7f75b21b22ea8641f1087297da http___bestbuylocal.com_g2jvhsj9
  110. 7ce38ba0095ce0f7c6eea4c68ee286181e52efbf9bd62eaf1b369e3ff6654129 http___bestbuylocal.com_jfrtat
  111. 6982f13f6ddc8a3b5f588d850799edd262604110c7157fad35543faef87a69e0 http___bestbuylocal.com_vbaa8ys [1]
  112. 00836a1123532fbdfe96ff09358562982076e9a3ca8dbc036a26721cc4b570e1 http___bestbuylocal.com_ycohx
  113. 39ecd50a786a05483232d5d8e225a8b2a93c2ab104e926d0e4b0638c3793e5f4 http___bestbuylocal.com_ykbbwq
  114. 436fcd82ea790ba1e624bf4901999f448e0c5451875a3839c32631425b5b139c http___goodfoodprod.xyz_1exhfeofq9
  115. 3a7f4f2ea8ae35f61a4363b313684655d478e00e1968dbf8206888d109225f5a http___goodfoodprod.xyz_avntp
  116. b76cf76b6be672c5ac01498dfcb11bf8faa69850f9005ab44aa8637910faeb03 http___goodfoodprod.xyz_cq8bqngvv
  117. 7088c77e934514a88bbd1d7715482d47d076e0d70fad73249b602e7a3bccd56f http___goodfoodprod.xyz_ixtd7wctq
  118. 2c7efb537d860c5ea416ec3a2710d7090eb3c238462c74d265bce6052a7fe3a2 http___goodfoodprod.xyz_oxw8e
  119. 642d73b3ade4f40a139f44ecb7fe6b15d29ac928917192827aa58b50c2ecf87d http___goodfoodprod.xyz_yxurej67wf
  120. d678844a59cc1165323b8394b4ced2d04725f3bcb41bb06751d5aab8b026c041 http___qijiaosoft.com_xb4bwcomo
  121. 6ad19b97942c8a1c9645afedf24216893e0518cd5e7228bd511d8aa66d43bf5e http___rent-guarantee-insurance.co.uk_kuyzc
  122. 7d23a9e12393ba31f5515532b3c5d30368adf1d7c19f02c4ac6c71582267c7c6 http___rnaweb.nl_lib46 [4]
  123. 14a35c37f6dab8be3eff608f03553e492186358fa60c832ec263d8564dc5bc0d http___sinanagirman.com_glouswg3g
  124. ea75041ff4bd473db262abdbe48b053be966d8c76b2bdce4ddee3d07ffaf3c78 http___skpc.org.au_skhaxqghvx
  125. e0dd4f363afb34457649803fe84c190815159f4329b3fb698235514346d146df http___slipko.ru_rrbjjgb
  126. 4cd284e46b4b0f4eb9f8c62d94a8a1451ce3c538cfa95c6d5d4bb323ef016cf7 http___sobretesis.com_nunltpk
  127. 4ef2782bfb9b1d06a2e078bf5ae2ccd96d2103344c529ff4cbbec52898f0f440 http___softwarecomparel.org_a8ytyay8
  128. 9f525417034f03161834dc8065098a68fed6d26156037c781e50c24ac93f365e http___softwarecomparel.org_bc1pmv
  129. 3c5c9e53ac0419dff9b85dea2fd09a49689fce9f010bdff153b108af23b2b419 http___softwarecomparel.org_gfigo3ezn3
  130. ae506384c7636cf9794c9501ec4d5c31be4d0ee3697282c4ed12672be28d8f8b http___softwarecomparel.org_lcv3ysact
  131. d09ebf1541419c8057aeec586b83c170a1ea5c345d541fdc7c33f213dc1f0723 http___softwarecomparel.org_miaoaty9n
  132. d22dcbcb8bc2a610f4331312380f77daf0cba9f4513a5624b899c758e0e76677 http___softwarecomparel.org_xv9ecbtgj
  133. ba5aa03d724d17312d9b65a420f91285caff711e2f891b3699093cc990fdaae0 http___sorrentovalleypainrelief.com_ky9rk
  134. aaeacc5507be1cb771d0df740e389849a417bdc259f64fba0f368639629d6d33 http___sovereignkitchens.com.au_gzttjwu9xp
  135. e49108967bf25018b37a9003ccbea4e995257ef598076d9c95c4718ace5c5df4 http___speciaaldesign.nl_xuazakski
  136. f32aa3677fab56060e02e8275f518ffe714c8a2ca37f127e869464e740aac2e9 http___speckftp.de_ev1hcdxt
  137. 6dbecfffa73aa316b67c4adcad0529cfd077a44f002dbd499c953dd57dae063e http___sportsarena.gr_xjrue
  138. 70f726faad3d308f69e078277490223feaa610d808774d7dd20cf3d1b602771c http___staygray.com_kxwcgnu
  139. 2f7fec278ddf37c67d062b4c46fa16fbea2cdb7d9d5cfe739599736ce9759749 http___staygray.com_mivftkxnmp
  140. 938b29ef27b15b968599b4e398c0e98989496a077cfe2ed61781acd3593a415a http___stephaniemiddendorp.nl_h05ld2sut
  141. ebef46f2525369da429ade7192c616a09bda1d4e3b178f4b09524c2a5b7420be http___stjohns2012.ca_vn1wvzjk
  142. 0f46d8774e4d0f2c9d544adb12204185a9d2d040e7670bb6b9a0ad700636ece7 http___studioangelucci.eu_kmdkffw
  143. 0743495293b35912ae279d980ef65a91311b140a0fbc46e410f49f5a0338fd9d http___syncfish.com_qdzzef
  144. 336d5c2872f48df0438f3fd06b661a1265234540176a1d6e674bd301f3ef2412 http___systemrma.pl_lumigwma
  145. 1ab91e13c366d7821d043d03293c7075da42610860199cd115f0191ed5c92df2 http___t38faxvoip.com_yz3w7mn
  146. 35b0ac0b34949c988998259db6f871013289d24fd5f4992f2dbe180d3016504b http___tbhomeinspection.com_mwo7gb
  147. 495d947f5355dc0dbf7a1f5f2265ccae1ec3bbbba7a13473b3724d3f7e19668b http___techpow.net_xme9kj [5]
  148. fe101e6a832c5abad7bc93a1dc084b82cfa2eae0ce49ea822e44a74cf0240406 http___teknoportbilisim.com_mkqamw6n
  149. 07cb813888ba2d1749a70c509db8f58bd1513a82076ea7c786219280aa749cb7 http___tengalo.com_fwzysh
  150. ef13189ec4dc48b315477d4eea293e84e3a46e58498f1496cbdece75d906958d http___the-agathon.com_gvcid8b
  151. 3f7d0ade8b072b97de1ce6af9d6198558c581abd8311c0a558e97db185132add http___thecodega.com_xegesuly
  152. 57a89413d4feb0a6fb53f7de5d79c1ddae90e94467761948fbc15e88c1f33677 http___theory.issp.ac.cn_xcemhkbr [2]
  153. e13e9a52f0d38101b43d25a401133b293304aa8a8c76cd97f4d5aaa1276d7240 http___thxlove.com_odulqznn7
  154. 53488a8bba05a8565c8d5cddb6182e5f1424d13d477466637fdd9565a536f97b http___tinybearshop.com_zlogeol [3]
  155. a8f56da9ae47d0afc1c10c043846f9094c3dd24e8a0f08123f9a47bf7506c471 http___tivicast.org_khlmwxrb
  156. 324028c7b75ced6d643038d77a89973cb1443d15fd30e4e06a1a8b4b90081468 http___tobybender.com_t4z8xrgdxz
  157. 0fb8a5628f8324d4c953f3f8abf1db535c6da21183e89db5eaa0ba81eaeea4fa http___toyallstar.com_kohknfsf
  158. 0e155e49aaccb4745ec41e06d87e351403a064759f21d828587e326cf8c1173e http___trade-unite.ru_k2qplhwug
  159. 7bc4ab4a930525f38f1da56e0b9957632236ef27dc4d30f627449caa49671580 http___translate-all.eu_tdc7xep8yy
  160. 6119c70af8fe33fb465ec81084700be4e5b46422efaab30468185c87de91bd1d http___trehoada.org_yuinghwmsz
  161. 3674f42841fbda919aadce725f0b977219f06b5fecba21f9187c39d59f0b4f5d http___trendsandtrades.nl_wigm99l
  162. f616fa9d194b3381e5e925be9d222cd14940a7aee7fa0bc45ddffd0270071795 http___trilab.sk_epimbssz
  163. d8cae33291181cc00ee04953be02d7043b9e1c47c22b5feafcdb0f0b9b4c6127 http___v4c.tv_6arm9pnzr1
  164. 7b431bd614690f420f9deba4cad3cc291e90a49e974fe2be7cea7f24c0ad0cb7 http___vanks.cl_2t3huwd
  165. 50ea9164fab21ec93c63ded772eb651ddc64ad3f8ff73b001579d3b816130970 http___villa64.dk_19tew8i
  166. 96d7d8f82dec80450db10412ecbc84f60a8f2fe5b006923b63899f5581c2a065 http___vipseal.de_mvhhdq
  167. 31b74aa8c4bfea1046ea599b275866d1a8e05872160bb03347d5ab6d2b211d56 http___vodatelsys.com.cn_58lupnimb
  168. 40b523ea24f1d8a86a415306d3a088971276dd5e5b89e293121423a9d3afefdd http___waner888.com_4go17e
  169. 5812e92b756fb330c238fd198a70e19a9492c5721a6461741cc252726a88e236 http___wflife.net_87o3ozdd
  170. f67f079aafe44a6e3671981729e811f89104af71d07e310ecf2ccc3e97c0141f http___wordpad.org_7ks1j
  171. db3c8e9874a8051904be88b3a5288fb96dc76c9461c65347e3516ece7709cba1 http___wphone3c.com_6ap7em
  172. 71f266b9dd2dd96ae9cfb248aa59ecd6fda27bafd1dc30ce39906488867e100b http___wreckingcrewnow.com_bfnfwyt87y
  173. 2be8ec6667022433ba1c1e7e4e28c6170769bc2923ad70e9ba8e8ea0a0c9eb57 http___xangelle.com_8wlji
  174. - decoded
  175. b3a6589f9d8848c89640bd822a674fe1169846fb321a9df82b93d15f0bcd8386 [1]
  176. d531179eb52a2e1ff66cdba1239dee39f7503046091072ca796eceb402e92322 [2]
  177. 46e6b1fec964bbbeebe26370f8513cb082e42a8f12975c8088773962e82919ae [3]
  178. 6897c919c63f6570dbe7b0ccd85739d56f05366ed4f9908f837ccf59193caa03 [4]
  179. 30a13967591a22b54707d2a8e3016e2aec8317aebfe324165c2246198ff41eec [5]
  180. - executed by "rundll32.exe %TEMP%\<filename>.ZK,64Hq4CTd1F2mXYBw"
  181. - samples
  182. https://www.virustotal.com/file/b3a6589f9d8848c89640bd822a674fe1169846fb321a9df82b93d15f0bcd8386/analysis/1481543687/ [1]
  183. https://www.virustotal.com/file/d531179eb52a2e1ff66cdba1239dee39f7503046091072ca796eceb402e92322/analysis/1481543734/ [2]
  184. https://www.virustotal.com/file/46e6b1fec964bbbeebe26370f8513cb082e42a8f12975c8088773962e82919ae/analysis/1481543749/ [3]
  185. https://www.virustotal.com/file/6897c919c63f6570dbe7b0ccd85739d56f05366ed4f9908f837ccf59193caa03/analysis/1481543769/ [4]
  186. https://www.virustotal.com/file/30a13967591a22b54707d2a8e3016e2aec8317aebfe324165c2246198ff41eec/analysis/1481543785/ [5]
  187.  
  188. C2:
  189. POST http://185.46.11.236/checkupdate
  190. POST http://91.200.14.109/checkupdate
  191. POST http://93.170.104.23/checkupdate
  192. POST http://95.213.224.117/checkupdate
Add Comment
Please, Sign In to add comment